wordpress-agent-kit 0.5.1 → 0.6.0

package/skills-custom/wp-bootstrap/scripts/setup-github.sh

@@ -0,0 +1,417 @@
+#!/usr/bin/env bash
+# setup-github.sh — configure GitHub repo for WP Engine CI/CD using the gh CLI.
+#
+# Checks authentication, reports missing secrets, sets them interactively or
+# from provided values, and configures branch protection for deploy branches.
+#
+# Usage:
+#   bash .agents/skills/wp-bootstrap/scripts/setup-github.sh [OPTIONS]
+#
+# Options:
+#   --check-only        Report status without making any changes (default if no --set-*)
+#   --set-secrets       Interactively set missing WP Engine secrets
+#   --set-protection    Configure branch protection for main/staging/develop
+#   --set-all           Set secrets + branch protection
+#   --wpe-key=<file>    Path to WP Engine SSH private key (default: ~/.ssh/wpengine_ed25519)
+#   --wpe-prod=<slug>   WP Engine production install slug
+#   --wpe-staging=<slug> WP Engine staging install slug
+#   --wpe-dev=<slug>    WP Engine dev install slug
+#   --no-confirm        Skip confirmation prompts (use with care)
+#
+# Requires: gh CLI installed and authenticated (gh auth login)
+#
+# Exit codes:
+#   0  All checks passed / actions completed
+#   1  Error or user cancelled
+#   2  gh CLI not installed or not authenticated
+
+set -uo pipefail
+
+# ── Parse args ────────────────────────────────────────────────────────────────
+CHECK_ONLY=true
+SET_SECRETS=false
+SET_PROTECTION=false
+WPE_KEY_FILE="${HOME}/.ssh/wpengine_ed25519"
+WPE_PROD=""
+WPE_STAGING=""
+WPE_DEV=""
+NO_CONFIRM=false
+
+for arg in "$@"; do
+  case "$arg" in
+    --check-only)        CHECK_ONLY=true ;;
+    --set-secrets)       SET_SECRETS=true; CHECK_ONLY=false ;;
+    --set-protection)    SET_PROTECTION=true; CHECK_ONLY=false ;;
+    --set-all)           SET_SECRETS=true; SET_PROTECTION=true; CHECK_ONLY=false ;;
+    --wpe-key=*)         WPE_KEY_FILE="${arg#--wpe-key=}" ;;
+    --wpe-prod=*)        WPE_PROD="${arg#--wpe-prod=}" ;;
+    --wpe-staging=*)     WPE_STAGING="${arg#--wpe-staging=}" ;;
+    --wpe-dev=*)         WPE_DEV="${arg#--wpe-dev=}" ;;
+    --no-confirm)        NO_CONFIRM=true ;;
+  esac
+done
+
+# ── Helpers ───────────────────────────────────────────────────────────────────
+ok()   { printf '  \033[32m✓\033[0m %s\n' "$*"; }
+fail() { printf '  \033[31m✗\033[0m %s\n' "$*" >&2; }
+warn() { printf '  \033[33m⚠\033[0m %s\n' "$*"; }
+info() { printf '  \033[34m→\033[0m %s\n' "$*"; }
+sep()  { printf '\n\033[1m── %s\033[0m\n' "$*"; }
+
+confirm() {
+  local prompt="${1} [y/N] "
+  $NO_CONFIRM && { echo "(auto-confirmed)"; return 0; }
+  read -r -p "$prompt" ans
+  [[ "${ans,,}" == "y" || "${ans,,}" == "yes" ]]
+}
+
+# ── 1. Check gh CLI ───────────────────────────────────────────────────────────
+sep "GitHub CLI check"
+
+if ! command -v gh >/dev/null 2>&1; then
+  fail "gh CLI not installed."
+  echo "      Install: https://cli.github.com"
+  echo "      macOS:   brew install gh"
+  echo "      Linux:   sudo apt install gh  (or see above URL)"
+  exit 2
+fi
+ok "gh $(gh --version | head -1 | awk '{print $3}')"
+
+# ── 2. Check authentication ────────────────────────────────────────────────────
+sep "Authentication"
+
+AUTH_STATUS=$(gh auth status 2>&1)
+if ! echo "$AUTH_STATUS" | grep -q "Logged in to github.com"; then
+  fail "Not authenticated. Run: gh auth login"
+  exit 2
+fi
+
+ACCOUNT=$(echo "$AUTH_STATUS" | grep -o 'account [^ ]*' | awk '{print $2}' | head -1)
+ok "Authenticated as @${ACCOUNT}"
+
+# ── 3. Detect repo ────────────────────────────────────────────────────────────
+sep "Repository"
+
+ORIGIN=$(git remote get-url origin 2>/dev/null || echo "")
+if [ -z "$ORIGIN" ]; then
+  fail "No 'origin' remote found. Is this a git repo with a GitHub remote?"
+  exit 1
+fi
+
+# Parse owner/repo from SSH or HTTPS URL
+if [[ "$ORIGIN" =~ git@github\.com[:/]([^/]+)/([^.]+)(\.git)?$ ]]; then
+  OWNER="${BASH_REMATCH[1]}"
+  REPO="${BASH_REMATCH[2]}"
+elif [[ "$ORIGIN" =~ https?://github\.com/([^/]+)/([^/.]+) ]]; then
+  OWNER="${BASH_REMATCH[1]}"
+  REPO="${BASH_REMATCH[2]}"
+else
+  fail "Cannot parse GitHub owner/repo from remote: $ORIGIN"
+  exit 1
+fi
+
+# Verify repo is accessible
+REPO_INFO=$(gh repo view "${OWNER}/${REPO}" --json name,owner,url,defaultBranchRef,visibility 2>&1)
+if ! echo "$REPO_INFO" | grep -q '"name"'; then
+  fail "Cannot access repo ${OWNER}/${REPO}. Check permissions."
+  exit 1
+fi
+
+VISIBILITY=$(echo "$REPO_INFO" | python3 -c "import sys,json; print(json.load(sys.stdin)['visibility'])" 2>/dev/null || echo "unknown")
+DEFAULT_BRANCH=$(echo "$REPO_INFO" | python3 -c "import sys,json; print(json.load(sys.stdin)['defaultBranchRef']['name'])" 2>/dev/null || echo "main")
+REPO_URL=$(echo "$REPO_INFO" | python3 -c "import sys,json; print(json.load(sys.stdin)['url'])" 2>/dev/null || echo "")
+
+ok "${OWNER}/${REPO} (${VISIBILITY,,}) — ${REPO_URL}"
+info "Default branch: ${DEFAULT_BRANCH}"
+
+# ── 4. Check secrets ──────────────────────────────────────────────────────────
+sep "GitHub Secrets"
+
+EXISTING_JSON=$(gh secret list --repo "${OWNER}/${REPO}" --json name 2>/dev/null || echo "[]")
+EXISTING_SECRETS=$(echo "$EXISTING_JSON" | python3 -c "
+import sys,json
+secrets = json.load(sys.stdin)
+for s in secrets: print(s['name'])
+" 2>/dev/null || echo "")
+
+# Define required secrets and their descriptions
+declare -A SECRET_DESC
+SECRET_DESC[WPE_SSH_KEY]="WP Engine SSH private key (contents of wpengine_ed25519)"
+SECRET_DESC[WPE_SSH_KNOWN_HOSTS]="Known hosts for git.wpengine.com + ssh.wpengine.net"
+SECRET_DESC[WPE_PROD_INSTALL]="Production install slug (e.g. mysite)"
+SECRET_DESC[WPE_PROD_GIT_URL]="Production git push URL from WPE portal"
+SECRET_DESC[WPE_STAGING_INSTALL]="Staging install slug (e.g. mysitestg)"
+SECRET_DESC[WPE_STAGING_GIT_URL]="Staging git push URL from WPE portal"
+SECRET_DESC[WPE_DEV_INSTALL]="Development install slug (e.g. mysitedev)"
+SECRET_DESC[WPE_DEV_GIT_URL]="Development git push URL from WPE portal"
+SECRET_DESC[WPE_API_USER]="WP Engine API username (from my.wpengine.com/api_access)"
+SECRET_DESC[WPE_API_PASSWORD]="WP Engine API password"
+SECRET_DESC[SLACK_WEBHOOK_URL]="Slack incoming webhook URL (optional)"
+
+REQUIRED_SECRETS=(
+  WPE_SSH_KEY WPE_SSH_KNOWN_HOSTS
+  WPE_PROD_INSTALL WPE_PROD_GIT_URL
+  WPE_STAGING_INSTALL WPE_STAGING_GIT_URL
+  WPE_DEV_INSTALL WPE_DEV_GIT_URL
+  WPE_API_USER WPE_API_PASSWORD
+)
+
+MISSING_SECRETS=()
+for secret in "${REQUIRED_SECRETS[@]}"; do
+  if echo "$EXISTING_SECRETS" | grep -qx "$secret"; then
+    ok "$secret"
+  else
+    warn "$secret — MISSING"
+    MISSING_SECRETS+=("$secret")
+  fi
+done
+
+# Optional
+if echo "$EXISTING_SECRETS" | grep -qx "SLACK_WEBHOOK_URL"; then
+  ok "SLACK_WEBHOOK_URL (optional)"
+else
+  info "SLACK_WEBHOOK_URL — not set (optional)"
+fi
+
+echo ""
+if [ "${#MISSING_SECRETS[@]}" -eq 0 ]; then
+  ok "All required secrets are set ✓"
+else
+  warn "${#MISSING_SECRETS[@]} secret(s) missing — run with --set-secrets to configure"
+fi
+
+# ── 5. Set missing secrets ────────────────────────────────────────────────────
+if $SET_SECRETS && [ "${#MISSING_SECRETS[@]}" -gt 0 ]; then
+  sep "Setting missing secrets"
+
+  for secret in "${MISSING_SECRETS[@]}"; do
+    echo ""
+    info "Setting: ${secret}"
+    info "Purpose: ${SECRET_DESC[$secret]}"
+
+    VALUE=""
+
+    case "$secret" in
+      WPE_SSH_KEY)
+        if [ -f "$WPE_KEY_FILE" ]; then
+          info "Reading from $WPE_KEY_FILE"
+          if confirm "  Set WPE_SSH_KEY from $WPE_KEY_FILE?"; then
+            VALUE=$(cat "$WPE_KEY_FILE")
+          fi
+        else
+          warn "Key file not found: $WPE_KEY_FILE"
+          info "Alternatives:"
+          info "  1. op read 'op://Employee/wpengine_ed25519/private key' > ~/.ssh/wpengine_ed25519"
+          info "  2. Paste the key manually below (enter blank line when done)"
+          if confirm "  Enter key manually?"; then
+            LINES=()
+            echo "  Paste private key (empty line to finish):"
+            while IFS= read -r line; do
+              [ -z "$line" ] && break
+              LINES+=("$line")
+            done
+            VALUE=$(printf '%s\n' "${LINES[@]}")
+          fi
+        fi
+        ;;
+
+      WPE_SSH_KNOWN_HOSTS)
+        info "Generating from ssh-keyscan..."
+        VALUE=$(
+          {
+            # git push host — RSA key
+            ssh-keyscan -t rsa git.wpengine.com 2>/dev/null
+            # Include hashed entry for git.wpengine.com too
+            ssh-keyscan -H git.wpengine.com 2>/dev/null
+            # Note: SSH gateway subdomains ({install}.ssh.wpengine.net) use
+            # StrictHostKeyChecking=accept-new in the workflow SSH config,
+            # so they don't need pre-scanned entries here.
+          }
+        )
+        if [ -n "$VALUE" ]; then
+          info "Generated $(echo "$VALUE" | wc -l) known_hosts entries"
+          info "Gateway subdomains auto-accepted via StrictHostKeyChecking=accept-new"
+          confirm "  Set WPE_SSH_KNOWN_HOSTS?" && true || VALUE=""
+        else
+          warn "ssh-keyscan failed — check network connectivity"
+        fi
+        ;;
+
+      WPE_PROD_INSTALL)
+        [ -n "$WPE_PROD" ] && VALUE="$WPE_PROD" || {
+          read -r -p "  Production install slug (e.g. mysite): " VALUE
+        }
+        ;;
+
+      WPE_PROD_GIT_URL)
+        SLUG="${WPE_PROD:-}"
+        if [ -z "$SLUG" ]; then
+          # Try to get from wp-cli.yml
+          SLUG=$(grep -A2 '@production' wp-cli.yml 2>/dev/null | grep 'ssh:' | awk '{print $2}' | cut -d@ -f1 || echo "")
+        fi
+        info "Get exact URL from: https://my.wpengine.com/installs/${SLUG:-<install>}/git_push"
+        read -r -p "  Production git URL (e.g. git@git.wpengine.com:mysite.git): " VALUE
+        ;;
+
+      WPE_STAGING_INSTALL)
+        [ -n "$WPE_STAGING" ] && VALUE="$WPE_STAGING" || {
+          read -r -p "  Staging install slug (e.g. mysitestg): " VALUE
+        }
+        ;;
+
+      WPE_STAGING_GIT_URL)
+        SLUG="${WPE_STAGING:-}"
+        info "Get exact URL from: https://my.wpengine.com/installs/${SLUG:-<install>}/git_push"
+        read -r -p "  Staging git URL (e.g. git@git.wpengine.com:mysitestg.git): " VALUE
+        ;;
+
+      WPE_DEV_INSTALL)
+        [ -n "$WPE_DEV" ] && VALUE="$WPE_DEV" || {
+          read -r -p "  Dev install slug (e.g. mysitedev): " VALUE
+        }
+        ;;
+
+      WPE_DEV_GIT_URL)
+        SLUG="${WPE_DEV:-}"
+        info "Get exact URL from: https://my.wpengine.com/installs/${SLUG:-<install>}/git_push"
+        read -r -p "  Dev git URL (e.g. git@git.wpengine.com:mysitedev.git): " VALUE
+        ;;
+
+      WPE_API_USER)
+        info "Find at: https://my.wpengine.com/api_access"
+        read -r -p "  WP Engine API username: " VALUE
+        ;;
+
+      WPE_API_PASSWORD)
+        info "Find at: https://my.wpengine.com/api_access"
+        read -r -s -p "  WP Engine API password (hidden): " VALUE
+        echo ""
+        ;;
+    esac
+
+    if [ -n "$VALUE" ]; then
+      echo "$VALUE" | gh secret set "$secret" --repo "${OWNER}/${REPO}"
+      ok "$secret set"
+    else
+      warn "$secret skipped"
+    fi
+  done
+fi
+
+# ── 6. Branch protection ──────────────────────────────────────────────────────
+sep "Branch Protection"
+
+check_branch_protection() {
+  local branch="$1"
+  local prot
+  prot=$(gh api "repos/${OWNER}/${REPO}/branches/${branch}/protection" 2>/dev/null || echo "")
+  if [ -z "$prot" ] || echo "$prot" | grep -q '"message"'; then
+    warn "${branch}: not protected"
+    return 1
+  fi
+  local checks
+  checks=$(echo "$prot" | python3 -c "
+import sys,json
+p = json.load(sys.stdin)
+checks = p.get('required_status_checks',{}).get('contexts',[])
+reviews = p.get('required_pull_request_reviews',{}).get('required_approving_review_count',0)
+print(f'status checks={checks}, reviewers={reviews}')
+" 2>/dev/null || echo "configured")
+  ok "${branch}: protected (${checks})"
+  return 0
+}
+
+BRANCHES_NEEDING_PROTECTION=()
+
+for branch in "$DEFAULT_BRANCH" "staging" "develop"; do
+  if ! check_branch_protection "$branch" 2>/dev/null; then
+    BRANCHES_NEEDING_PROTECTION+=("$branch")
+  fi
+done
+
+if [ "${#BRANCHES_NEEDING_PROTECTION[@]}" -eq 0 ]; then
+  ok "Branch protection looks good"
+elif ! $SET_PROTECTION; then
+  warn "${#BRANCHES_NEEDING_PROTECTION[@]} branch(es) not protected — run with --set-protection to configure"
+fi
+
+# ── 7. Apply branch protection ────────────────────────────────────────────────
+if $SET_PROTECTION && [ "${#BRANCHES_NEEDING_PROTECTION[@]}" -gt 0 ]; then
+  sep "Configuring Branch Protection"
+
+  for branch in "${BRANCHES_NEEDING_PROTECTION[@]}"; do
+    echo ""
+    info "Configuring: ${branch}"
+
+    # Determine required reviewer count
+    if [ "$branch" = "$DEFAULT_BRANCH" ]; then
+      REVIEWERS=2  # Production needs 2
+    else
+      REVIEWERS=1  # Staging/develop needs 1
+    fi
+
+    # Required status checks — gate-passed is the canonical check from ci-gate.yml
+    CONTEXTS='["gate-passed"]'
+
+    # For production, also require staging-source-check
+    if [ "$branch" = "$DEFAULT_BRANCH" ]; then
+      CONTEXTS='["gate-passed","staging-source-check"]'
+    fi
+
+    if ! confirm "  Set ${branch} protection (${REVIEWERS} reviewers, checks: ${CONTEXTS})?"; then
+      warn "${branch}: skipped"
+      continue
+    fi
+
+    PAYLOAD=$(python3 -c "
+import json
+contexts = ${CONTEXTS}
+payload = {
+  'required_status_checks': {
+    'strict': True,
+    'contexts': contexts
+  },
+  'enforce_admins': True,
+  'required_pull_request_reviews': {
+    'dismiss_stale_reviews': True,
+    'require_code_owner_reviews': False,
+    'required_approving_review_count': ${REVIEWERS}
+  },
+  'restrictions': None,
+  'allow_force_pushes': False,
+  'allow_deletions': False
+}
+print(json.dumps(payload))
+")
+
+    if echo "$PAYLOAD" | gh api "repos/${OWNER}/${REPO}/branches/${branch}/protection" \
+      --method PUT --input - >/dev/null 2>&1; then
+      ok "${branch}: protection configured (${REVIEWERS} reviewer(s), checks: ${CONTEXTS})"
+    else
+      fail "${branch}: failed to configure protection"
+      info "You may need admin access or a GitHub token with 'repo' scope"
+    fi
+  done
+fi
+
+# ── 8. Summary ────────────────────────────────────────────────────────────────
+sep "Summary"
+
+TOTAL_MISSING="${#MISSING_SECRETS[@]}"
+TOTAL_UNPROTECTED="${#BRANCHES_NEEDING_PROTECTION[@]}"
+
+if [ "$TOTAL_MISSING" -eq 0 ] && [ "$TOTAL_UNPROTECTED" -eq 0 ]; then
+  ok "GitHub repo is fully configured for WP Engine CI/CD"
+  ok "Secrets: all set | Branch protection: all configured"
+else
+  [ "$TOTAL_MISSING" -gt 0 ] && warn "Secrets missing: $TOTAL_MISSING (run --set-secrets)"
+  [ "$TOTAL_UNPROTECTED" -gt 0 ] && warn "Branches unprotected: ${BRANCHES_NEEDING_PROTECTION[*]} (run --set-protection)"
+  echo ""
+  info "Re-run:  bash ${0} --set-all"
+fi
+
+echo ""
+info "GitHub Actions:  https://github.com/${OWNER}/${REPO}/actions"
+info "Secrets:         https://github.com/${OWNER}/${REPO}/settings/secrets/actions"
+info "Branch rules:    https://github.com/${OWNER}/${REPO}/settings/branches"
+echo ""

package/skills-custom/wp-wpengine/SKILL.md

@@ -42,8 +42,10 @@ chmod 600 ~/.ssh/wpengine_ed25519
 
 # Trust WP Engine git push host (RSA — what WP Engine's git.wpengine.com serves)
 ssh-keyscan -t rsa git.wpengine.com >> ~/.ssh/known_hosts
-# Trust WP Engine SSH gateway
-ssh-keyscan -H ssh.wpengine.net >> ~/.ssh/known_hosts
+# Gateway: scan the specific install hostname (each install has its own subdomain)
+# Do this once per environment you connect to:
+ssh-keyscan -H <install>.ssh.wpengine.net >> ~/.ssh/known_hosts
+# e.g.: ssh-keyscan -H mysite.ssh.wpengine.net >> ~/.ssh/known_hosts
 ```
 
 Add to `~/.ssh/config` (before any `Host *` block):
@@ -55,15 +57,18 @@ Host git.wpengine.com
   IdentityFile ~/.ssh/wpengine_ed25519
   IdentitiesOnly yes
 
-# WP Engine SSH gateway (WP-CLI + direct access)
+# WP Engine SSH gateway (WP-CLI + file transfer)
 Host *.ssh.wpengine.net
   IdentityFile ~/.ssh/wpengine_ed25519
   IdentitiesOnly yes
   ControlMaster auto
   ControlPath ~/.ssh/wpe-%r@%h:%p
   ControlPersist 10m
+  StrictHostKeyChecking accept-new
 ```
 
+> **`StrictHostKeyChecking accept-new`**: automatically accepts and stores the host key on first connection, then rejects any change to that key (MITM protection). Safer than `no`; avoids having to manually `ssh-keyscan` each install hostname.
+>
 > **ControlMaster / ControlPersist**: multiplexes SSH connections so subsequent commands over the same gateway reuse the existing connection. Cuts per-command latency from ~2 s to ~100 ms for repeated WP-CLI invocations.
 
 Verify git push access:
@@ -92,13 +97,19 @@ where `<environment>` is `production`, `staging`, or `development`.
 
 ```bash
 # Production (copy exact URL from portal)
-git remote add wpengine-prod git@git.wpengine.com:production/<install-name>.git
-
-# Staging
-git remote add wpengine-staging git@git.wpengine.com:staging/<install-name>stg.git
-
-# Development
-git remote add wpengine-dev git@git.wpengine.com:development/<install-name>dev.git
+# ⚠️  Always copy the exact URL from the WP Engine portal — formats vary by account:
+#    https://my.wpengine.com/installs/<ENV>/git_push
+#
+# Modern accounts (most common):
+git remote add wpengine-prod git@git.wpengine.com:<install-name>.git
+# Legacy accounts (some plans add an environment prefix):
+# git remote add wpengine-prod git@git.wpengine.com:production/<install-name>.git
+
+# Staging (check portal for exact URL)
+git remote add wpengine-staging git@git.wpengine.com:<install-name>stg.git
+
+# Development (check portal for exact URL)
+git remote add wpengine-dev git@git.wpengine.com:<install-name>dev.git
 ```
 
 Deploy:
@@ -179,6 +190,59 @@ wp @production search-replace 'old-domain.com' 'new-domain.com' --dry-run
 
 > Commit `wp-cli.yml` to the repo so all team members and CI pipelines share the same remote aliases.
 
+#### Method D — SCP / rsync for file transfer
+
+The SSH gateway also accepts SCP and rsync (port 22). Use this to pull/push files without a full git push:
+
+```bash
+# SCP: download a file from the server
+scp -P 22 <install>@<install>.ssh.wpengine.net:sites/<install>/wp-content/uploads/large-file.zip ./
+
+# SCP: upload a file to the server
+scp -P 22 ./my-patch.php <install>@<install>.ssh.wpengine.net:sites/<install>/wp-content/plugins/my-plugin/
+
+# rsync: sync wp-content/uploads from production to local (read-only pull)
+rsync -avz --progress \
+  -e "ssh -p 22" \
+  <install>@<install>.ssh.wpengine.net:sites/<install>/wp-content/uploads/ \
+  ./local-uploads/
+
+# rsync: push a theme to staging (careful with --delete)
+rsync -avz --dry-run \
+  -e "ssh -p 22" \
+  ./my-theme/ \
+  <install>stg@<install>stg.ssh.wpengine.net:sites/<install>stg/wp-content/themes/my-theme/
+```
+
+> **WP Engine server path**: WordPress root is `sites/<install>/` relative to the SSH home, or `/home/wpe-user/sites/<install>` as an absolute path. `wp-content/` lives inside that root.
+
+#### Method E — Multiple commands via heredoc
+
+Run several commands in one SSH session without reconnecting:
+
+```bash
+# Heredoc over SSH (most efficient — one connection for all commands)
+ssh <install>@<install>.ssh.wpengine.net bash -s << 'EOF'
+  set -e
+  wp cache flush --skip-plugins --skip-themes
+  wp rewrite flush --skip-plugins --skip-themes
+  wp cron event run --due-now --skip-plugins --skip-themes
+  wp core version --skip-plugins --skip-themes
+EOF
+
+# Interactive WP-CLI commands need -t (pseudo-TTY allocation)
+# e.g. wp shell for a REPL session
+ssh -t <install>@<install>.ssh.wpengine.net wp shell
+```
+
+#### SSH gateway environment notes
+
+- **Restricted shell**: The gateway provides a limited shell environment. WP-CLI, PHP, basic POSIX utilities (echo, cat, stat, du, find, grep) and rsync/SCP are available. Package installation (`apt`, `yum`), sudo, and arbitrary service management are **not** available.
+- **PHP version**: Matches the PHP version configured for that WP Engine install. `php --version` to confirm.
+- **WordPress path**: `~/sites/<install>/` (relative to SSH home) or `/home/wpe-user/sites/<install>` (absolute).
+- **`--path` flag**: If WP-CLI returns "not a WordPress installation", add `--path=/home/wpe-user/sites/<install>` explicitly.
+- **Legacy gateway**: `ssh.wpengine.net` (no subdomain) is the old generic gateway address. Current convention always uses `<install>.ssh.wpengine.net`.
+
 ---
 
 ### 4) Common remote WP-CLI operations
@@ -376,9 +440,9 @@ curl -fsSL https://raw.githubusercontent.com/wpengine/wpe-labs-platform-skills/m
 | Symptom | Fix |
 |---|---|
 | `Host key verification failed` (git) | `ssh-keyscan git.wpengine.com >> ~/.ssh/known_hosts` |
-| `Host key verification failed` (gateway) | `ssh-keyscan -H ssh.wpengine.net >> ~/.ssh/known_hosts` |
+| `Host key verification failed` (gateway) | Run `ssh-keyscan -H <install>.ssh.wpengine.net >> ~/.ssh/known_hosts` for that specific install hostname. Or add `StrictHostKeyChecking accept-new` to the `*.ssh.wpengine.net` SSH config block — it will auto-accept on first connect. |
 | `Permission denied` | Confirm key at `~/.ssh/wpengine_ed25519`, `chmod 600`. Check the key is registered under **SSH Keys** in the WP Engine portal (separate from git push keys). |
-| `git push rejected` | Verify remote URL includes environment prefix (`production/<install>.git`). Get the exact URL from the portal: `https://my.wpengine.com/installs/<ENV>/git_push` |
+| `git push rejected` | Get the exact URL from the portal (`https://my.wpengine.com/installs/<ENV>/git_push`). URL format varies by account — copy it verbatim. |
 | SSH gateway hangs | Kill stale ControlMaster socket: `ssh -O stop <install>@<install>.ssh.wpengine.net` |
 | `wp: command not found` on gateway | WP Engine's WP-CLI path: try `php /usr/local/bin/wp` or contact WP Engine support |
 | WP-CLI returns wrong site | Add `--path=/home/wpe-user/sites/<install>` explicitly |

package/skills-custom/wp-wpengine/references/github-actions-deploy.md

@@ -83,17 +83,21 @@ Add under **Settings → Secrets and variables → Actions**:
 | Secret | Value |
 |--------|-------|
 | `WPE_SSH_KEY` | Private key (contents of `wpengine_ed25519`) |
-| `WPE_SSH_KNOWN_HOSTS` | Output of `ssh-keyscan -t rsa git.wpengine.com && ssh-keyscan -H ssh.wpengine.net` |
+| `WPE_SSH_KNOWN_HOSTS` | Output of `ssh-keyscan -t rsa git.wpengine.com && ssh-keyscan -H git.wpengine.com` (git push host only; gateway subdomains use `StrictHostKeyChecking accept-new`) |
 | `WPE_PROD_INSTALL` | Production install slug (e.g., `mysite`) |
+| `WPE_PROD_GIT_URL` | Production git remote URL from portal (`git_push` page) |
 | `WPE_STAGING_INSTALL` | Staging install slug (e.g., `mysitestg`) |
+| `WPE_STAGING_GIT_URL` | Staging git remote URL from portal |
 | `WPE_DEV_INSTALL` | Development install slug (e.g., `mysitedev`) |
+| `WPE_DEV_GIT_URL` | Development git remote URL from portal |
 | `WPE_API_USER` | WP Engine API username (for backup snapshots) |
 | `WPE_API_PASSWORD` | WP Engine API password |
 | `SLACK_WEBHOOK_URL` | Slack incoming webhook (optional, for notifications) |
 
 Generate the known hosts value once and save:
 ```bash
-{ ssh-keyscan -t rsa git.wpengine.com; ssh-keyscan -H ssh.wpengine.net; } 2>/dev/null
+{ ssh-keyscan -t rsa git.wpengine.com; ssh-keyscan -H git.wpengine.com; } 2>/dev/null
+# Note: SSH gateway subdomains use StrictHostKeyChecking=accept-new in workflows
 ```
 
 ---
@@ -254,7 +258,8 @@ jobs:
         env:
           INSTALL: ${{ secrets.WPE_DEV_INSTALL }}
         run: |
-          git remote add wpe-dev git@git.wpengine.com:development/${INSTALL}.git
+          # URL from portal: https://my.wpengine.com/installs/<ENV>/git_push (set WPE_DEV_GIT_URL secret)
+          git remote add wpe-dev "${WPE_DEV_GIT_URL:-git@git.wpengine.com:${INSTALL}.git}"
           # Force-add built assets (normally gitignored)
           git add -f dist/ build/ 2>/dev/null || true
           git diff --cached --quiet || git commit -m "ci: add built assets [skip ci]"
@@ -264,7 +269,7 @@ jobs:
         env:
           INSTALL: ${{ secrets.WPE_DEV_INSTALL }}
         run: |
-          ssh -o StrictHostKeyChecking=no ${INSTALL}@${INSTALL}.ssh.wpengine.net \
+          ssh -o StrictHostKeyChecking=accept-new ${INSTALL}@${INSTALL}.ssh.wpengine.net \
             wp cache flush --skip-plugins --skip-themes
 ```
 
@@ -355,7 +360,8 @@ jobs:
         env:
           INSTALL: ${{ secrets.WPE_STAGING_INSTALL }}
         run: |
-          git remote add wpe-staging git@git.wpengine.com:staging/${INSTALL}.git
+          # URL from portal: set WPE_STAGING_GIT_URL secret
+          git remote add wpe-staging "${WPE_STAGING_GIT_URL:-git@git.wpengine.com:${INSTALL}.git}"
           git add -f dist/ build/ 2>/dev/null || true
           git diff --cached --quiet || git commit -m "ci: add built assets [skip ci]"
           git push wpe-staging HEAD:main --force
@@ -364,7 +370,7 @@ jobs:
         env:
           INSTALL: ${{ secrets.WPE_STAGING_INSTALL }}
         run: |
-          ssh -o StrictHostKeyChecking=no ${INSTALL}@${INSTALL}.ssh.wpengine.net bash -s <<'EOF'
+          ssh -o StrictHostKeyChecking=accept-new ${INSTALL}@${INSTALL}.ssh.wpengine.net bash -s <<'EOF'
             set -e
             wp cache flush --skip-plugins --skip-themes
             wp rewrite flush --skip-plugins --skip-themes
@@ -534,7 +540,8 @@ jobs:
         env:
           INSTALL: ${{ secrets.WPE_PROD_INSTALL }}
         run: |
-          git remote add wpe-prod git@git.wpengine.com:production/${INSTALL}.git
+          # URL from portal: set WPE_PROD_GIT_URL secret
+          git remote add wpe-prod "${WPE_PROD_GIT_URL:-git@git.wpengine.com:${INSTALL}.git}"
           git add -f dist/ build/ 2>/dev/null || true
           git diff --cached --quiet || git commit -m "ci: add built assets [skip ci]"
           git push wpe-prod HEAD:main --force
@@ -543,7 +550,7 @@ jobs:
         env:
           INSTALL: ${{ secrets.WPE_PROD_INSTALL }}
         run: |
-          ssh -o StrictHostKeyChecking=no ${INSTALL}@${INSTALL}.ssh.wpengine.net bash -s <<'EOF'
+          ssh -o StrictHostKeyChecking=accept-new ${INSTALL}@${INSTALL}.ssh.wpengine.net bash -s <<'EOF'
             set -e
             wp cache flush --skip-plugins --skip-themes
             wp rewrite flush --skip-plugins --skip-themes
@@ -603,7 +610,7 @@ jobs:
             "https://${INSTALL}.wpenginepowered.com/" --max-time 30)
           echo "Post-rollback status: HTTP $STATUS"
           # Flush cache after rollback
-          ssh -o StrictHostKeyChecking=no ${INSTALL}@${INSTALL}.ssh.wpengine.net \
+          ssh -o StrictHostKeyChecking=accept-new ${INSTALL}@${INSTALL}.ssh.wpengine.net \
             wp cache flush --skip-plugins --skip-themes
           echo "❌ Deployment was ROLLED BACK to $PREV_SHA"
           exit 1  # Mark the job as failed so Slack notifies